Good morning, everyone. It's a long walk over here. This is Breaking the Back End, DEF CON China 1.0. Congratulations.
My name is Gregory Pickett with Hellfire Security. I'm part of the Cybersecurity Operations Group.
Brief overview of what we'll be talking about today. I'm going to start with transit systems.
Just a brief history, honestly, of several different talks, the major talks that we've seen so far.
And then, of course, we'll talk about our target.
After that, we're going to reverse engineer that target. We're going to learn a little bit about how it works, how that system works.
Then we'll talk about the discoveries, what we discovered through that reverse engineering, and then the exploit developed from it.
And, of course, always at the end of talks, lessons learned.
So we've had a couple talks over the years.
The anatomy of a subway hack in 2008 was taking traditional attacks and applying them to a subway station.
Bypassing physical security, hacking the wired and wireless network.
Actually, oops, I got that backwards.
That was bypassing physical security and then hacking the terminal.
The terminal is set up as a kiosk.
So the next one after that was the NFC subway hack of 2012, where you're looking at attacking the hardware.
There's a read-only bit. I think there were a couple different bits on that card because they weren't set.
They were writable. They were able to replenish that stored value card.
Then we had the how to hack all the transport networks of a country in 2012, going back to traditional attacks.
This time around, it was social engineering.
This one was the...
Attacking the wired and wireless networks, and I believe several what-ifs, as far as attacking the encryption.
What if we did this? What if we did that?
Could we get the keys to write to the ticket?
And then the breaking Korea transit card with side-channel attack in 2017, going back to attack the hardware.
NFC again, doing side-channel attacks to get the secret key so that you could then write to that card and replenish it.
Okay?
This is a little different.
Not illegal.
We aren't sneaking into the station.
We aren't hacking their terminals or we aren't social engineering anyone or attacking the wired or wireless network.
And it's also not about the hardware.
We aren't cracking anyone's encryption.
We aren't cloning the mag stripe, the RFID, or in most cases, of course, NFC.
This is about flaws in application logic.
There's cloning involved.
I will admit that.
We do clone, but that's not the vulnerability that we're exploiting.
Instead, we're using AppSec to attack a complex, multilayered, real-world solution.
Lots of moving parts.
We'll see where they break.
So our target is the elevated train.
That's the Bangkok Mass Transit System, or BTS, in Bangkok, Thailand.
Elevated rapid transit system there serves the greater Bangkok area,
operated by the BITSC.
Actually, there are several different companies involved.
Holding company, holding company, holding company.
43 stations along two lines.
I think that's from the website.
And they've been expanding.
So there's probably a couple more stations.
They have lots of different lines planned.
So more stations.
The tickets the system uses is a sort of value card that's based off NFC.
And then all-day pass and a single-journey ticket.
Both using the mag stripe.
And that is what we'll be looking at.
Those tickets have two mag stripes each.
There's a hole through one mag stripe.
And it's about 0.27 millimeters thick.
You're not going to go to this corner store and order these.
You're not going to go to a warehouse.
You're not going to open a catalog.
So not easy to get.
There are our tickets there.
You can see.
Okay, I was very excited that they have a laser pointer.
I see the hole there.
And there's actually a little hole there.
So top is the single journey.
And the bottom is the all-day pass.
Very thin.
I wanted to stress that.
So we have the gates there.
When you enter.
And the two.
I'm going to make use of this laser pointer here a lot.
So the two there are set up for enter.
Little arrows there.
You slide it in a slot.
It gets processed.
Pops out at the top.
Gate opens up.
You walk through.
And the same thing when you exit.
You're going to go ahead and slide it in there.
It's actually going to capture it at that time.
The gate opens up.
And you get to leave.
Okay.
So why them?
Well, mag stripe, really.
You know, it's something very, very old.
Seemed then very, very interesting.
And, of course.
Of all the issues out there.
You know, mag stripe is very popular for having quite a number of them.
Almost as many, you know, famous as windows.
So you have all these questions.
You talk about it.
You talk about it.
So, you know, at some point in time you have to put up.
If they say you're shut up.
So I wanted to answer these questions for myself.
My friends.
And really just get this done.
Get it out of the way so I can move on to other things.
Okay.
So we have to have some equipment to read these tickets.
That's the first thing you really are able to do and you want to do is read those tickets.
So you get the equipment.
It's a standard reader rider that I ended up using.
And I went through lots of different equipment.
As my understanding changed, so did the equipment that I used.
But I ended up here with a standard reader rider manufactured in China.
Thank you.
It does standards.
All right.
So it reads it and will decode it according to the standards.
Or you can do a raw read where it just dumps.
What's on the card.
What's on the ticket.
Errors are rare.
It handled that hole really well.
Originally I thought that hole was kind of a 1980s style copy protection.
I don't think maybe many of you are old enough to know what that is.
Essentially what they would do is introduce an error or damage.
They would damage a sector on a disc so that if the utility from the OS would attempt to copy it, it would fail.
The copy would fail.
You couldn't then copy the disc.
You couldn't copy the game.
So I'm thinking they're introducing this hole so that essentially if you tried to use it with a standard reader rider, it would just fail and you couldn't get any of the data off there.
It turns out it was just to make sure that the ticket was facing the right way.
And essentially oriented the right way and that the mag stripes were down.
Okay.
So I could end up just using a standard reader rider.
And very reliable performance.
Very reliable performance.
It's important that you have.
Reliable performance.
That way you get reliable data.
And that way your analysis goes much, much easier.
All right.
So when you're sitting down with this reader and you're reading the tickets, you have a lot of questions.
You know, data location.
Encoding schemes.
How does the data change as the ticket's used, as it goes through the system?
And then ultimately you're looking to find out what that data means.
And if you're seeking to break that system, you're trying to get it to error or manipulate it somehow.
You want to see what the system response is to data tampering, to repeating states or out of order state transitioning.
So your repeating state, you take a ticket that you've used to enter.
Can you enter with it again?
If you attempt to maybe take a ticket you've purchased but you haven't used yet, can you exit with it?
How does the system respond?
So you sit down.
You read that.
And you're going to read the mag stripe.
And you're going to decode the data.
And you're going to read up.
There it is in all its glory.
Just in a hex there.
We have the two mag stripes each with three tracks.
So I attempted to decode that using the standards.
The International Organization for Standardization.
There's lots in that standard.
But it boils down to six character sets and four-bit character sets.
Some with parity and some without.
I attempted to decode that both forwards and backwards.
And I did it many, many, many times.
I'm always concerned about my work.
I'm always double checking my work.
So I wanted to do it over and over again.
Make sure I'm not making mistakes.
And I did it with software.
I used the software that came with the reader.
And I also did it manually.
Now there's two reasons.
I went through lots of different equipment.
And some of the equipment was not the most accurate.
It wasn't most reliable.
So I wanted to make sure that the software was doing it properly.
It was decoding properly.
And there's an added benefit.
If you go over that data again and again and again,
you start to...
There's patterns, right?
There's patterns that you can see.
And you get to understand that data.
And hopefully by doing so, there's some insights that you can come to
as you're doing the work.
So after doing this again and again and again,
I finally decided that maybe it wasn't using the standards.
Maybe it wasn't encoded at all.
Maybe it was just raw data.
So let's see.
Now when you're going to do your analysis,
you want to reduce the amount of work that you're going to do.
So I'm not a professional.
So all of this is just self-taught.
So if I'm getting anything wrong, let me know.
But I did see a lot of duplication.
So if it's just duplication, I don't need to understand it, right?
It's just something that's duplicated somewhere else.
So I can immediately eliminate these big sections here.
It's the same data over again.
So it leaves me with just these four sections here.
And I didn't need to know this either because, you know, talking about insights,
I realized by looking at that enough times that it's 74.
Whoops.
Go back.
Wrong button.
That is essentially 100 plus the ticket price.
So this was basically a 16-bot single journey ticket.
And that was 100 plus.
16, 116.
So I knew what that was right away based on all that time going over and over again, that data.
So I automatically knew what that was, so I didn't need to worry about that.
I just focused on these.
I'm going to keep doing that.
Hopefully not.
Those four blocks right there.
Now, looking at that, seeking to understand it, I realize there's no encryption.
It's not all different.
So there's no encryption.
There's no parity checks.
If you break out those bits into little blocks and you calculate parity and you see,
does that match what you have on that ticket, it's not there.
Same thing with LRC.
And there are no timestamps.
If you purchased one ticket, you waited 10 seconds, and you purchased another ticket,
none of those values incremented by 10.
So that means you're going to have to go into the field.
You have to run that through the system.
You're going to have to make changes.
Each time you go through the system, you're going to vary that input.
You're going to go through one station, a particular dispenser.
Then you're going to purchase from a particular station from a particular dispenser.
Then you're going to go ahead and use that ticket in a particular station with a particular turn style.
And you do that different each time.
Vary one input variable and then see how that changes.
Each time you're using it to identify not meaning.
After collecting lots of these tickets, I had some additional insight here.
That little section there, the orange section, never changes.
So that was good.
I didn't need to worry about that then.
If it's not changing, I'd have a hard time understanding what the meaning was going to be,
so I wouldn't worry about it.
And this little section here, while this does change from ticket to ticket,
changes as the ticket is used.
That little section there.
I can't see the green, but it's actually blue up there.
That little section changes as the ticket is used.
Now, as I observed those changes, this is what I found.
Each ticket has a GUID associated with it.
It kind of rolls down there.
And the location.
Initially, it is in a dispenser.
And there's a GUID associated with its arrival there.
When the ticket moves, that location is updated to a turnstile.
And there's a GUID associated with its arrival there.
When the ticket moves, it also changes state.
Going from issued to used to collected.
When you buy it, it's in a dispenser there.
Underline.
It's in the issued state.
When you enter, it goes through a turnstile.
Little turnstile there.
It's in the used state.
When you exit, it's captured by a turnstile.
And then it's in the collected state.
Some additional things I learned.
For all-day passes, the known section, or the 100-plus price,
is used to track trips taken.
The price of that all-day pass is 140 baht.
So it's 240.
So when you take one trip, it's 239, then 238, and then 237.
And there is a different never changes for all-day passes.
Now, this should have struck me earlier.
But unfortunately, I didn't think about it.
It just didn't hit me until after my slides were finalized.
But that would then appear to be a ticket type.
That little section there ends up looking like a ticket type.
Okay.
There's also some handling rules.
To enter, the ticket must have previously been in a collected state.
It would have been sitting in a turnstile someplace,
taken out, brought around, put in that dispenser.
So it's previously in a collected state,
comes out of the dispenser, now in an issued state.
You can use that then, that ticket, to enter.
To exit, the ticket must then be, after that point, in a used state.
Very simple handling rules.
Okay.
Now, we're going to talk about, of course, exploiting a system.
That's kind of why we're here.
But what I want to do is really talk about the conditions
under which the research was done.
I realize now that I was a little bit paranoid during this whole thing.
But you can imagine, being in security, why I might be paranoid.
Because we see bad things.
Some of us do very bad things.
And we do hear occasionally about bad things happening to us.
That's because there's security research outside of actually the work itself.
So at the time, and even right now, I believe, though they're transitioning,
this was done in Thailand, obviously,
and the government is a junta, a military dictatorship.
In those sorts of situations, and I think for the most part in many legal systems,
you are guilty until proven innocent.
They do this very easily with the Majis Laws.
Essentially, you've embarrassed the king, you've embarrassed the government,
you've embarrassed the country.
They say that you do, and you do.
They claim you're guilty.
You are.
As a foreigner, as a farang, you may know the term guailo or laoway, right?
You know, I don't have rights.
So there was no chance I was going to be able to prove myself innocent.
And anyway, I don't think even if I was a Thai, it would matter too much
because I think in the history of the Majis,
not only one person has ever successfully escaped their fate.
So essentially, if anyone was concerned about what I was doing,
for any number of reasons, they could have just snatched me and put me in jail,
and then I would just stay there until they felt like letting me out.
So needless to say, I took a lot of precautions.
I tried my best not to get arrested.
I did lots of things not to get arrested.
The first thing I did was try to avoid them.
Anybody involved with the BTS.
I avoided the security guards.
Not all entrances apparently had security guards.
There were some entrances that did not.
I found which ones those were, and I spent my time there.
Also, I did something called a dip and dash.
If you're familiar, probably not familiar with Monty Python, but I ran away.
You know, I would go up to, I would saunter.
I'd practice my sauntering.
I would saunter up to, you know, like I'm going to enter.
Maybe I'd pause, look at my phone.
I would dip it, actually slide it in, let it come out,
and then I would just turn around, and I would just walk away.
Not quickly, but not too quickly.
And of course I had an escape route.
I had some dark alley I could go down and disappear to.
I did say I was paranoid, right?
So I had these techniques, this plan really.
But I also could count on them doing their best to avoid me.
Punish for disruptions.
Harmony is important.
In those sort of situations, you have a tendency not to notice stuff.
You don't want to notice stuff.
Also a tendency not to care.
Not going to worry about it.
And you're going to follow procedures.
Exactly what procedure would they have for a strange white guy walking up to a turnstile,
putting a ticket in, and walking away?
Odd, odd behavior.
Not going to be in the manual.
And then of course, avoiding frang or guai lo.
We do weird things, right?
White people are weird.
We do weird things.
And what do you do with weird people?
You leave them alone.
Let them be weird by themselves.
Do what they're going to do.
And then you just stay away from them.
So that does happen.
And any number of reasons, from not being very confident in your English
to any number, as I said, weird behavior.
It's the bees again.
Okay.
Thank you.
I feel included now.
All right.
So, you know, we basically, this is the way I kind of kept my distance and kept myself safe.
So, exploiting the system.
That's what this is about, right?
This is the fun part.
We're going to briefly review, very briefly, what we learned so far.
Talk about the system safeguards that become evident.
When you look at this, you know, this transit system we have here,
this set of subway stations.
The assumptions that they would have had putting this together.
We'll talk about some attacks against their assumptions.
And then, of course, the epic fail that was involved in their design.
Okay.
So what we've learned so far.
It's object-based.
All right.
Physical object and a database object.
I knew there was a database object because I did tamper with the data on the card.
And it knew that something was wrong.
It would say go to the office.
So there's some sort of reference involved.
There are also properties to that object.
And then an identification, a value, a location, and as I realized there,
it's kind of like a type, right?
And there are states.
Issued, used, and collected.
And there's some sort of history.
I don't know why I keep looking at the Chinese slides because I don't read Chinese.
So there's some system safeguards that become evident.
Ticket composition and ticket design.
You weren't going to just walk down to the corner store, right?
Circle K, 7-Eleven, and just pick one of these up.
Mirror, the physical object and database object to prevent tampering.
Handling rules to find values of the objects.
And there's a limited life cycle of the ticket.
They only lasted 24 hours.
And they were, of course, collecting that ticket.
And the final turnstile at the very end of your use.
So the assumptions in putting that together, of course,
would be that no one will be able to reproduce our ticket.
Our system has the only valid objects.
Handling rules will prevent concurrent use.
The damage is limited to that life cycle.
What could happen, right, in 24 hours?
And, of course, after use, the ticket will be in our possession.
They would feel safe, right?
We have all the tickets now.
We would feel good about that.
So we're going to, of course, attack those assumptions,
attempt to invalidate them.
We're going to acquire a suitable ticket.
We're going to capture a valid object.
We're going to try to bypass those rules.
And then see if we can extend that attack to increase the damage.
So I did find someone.
To make blank tickets.
And I did copy a shit ton of objects in the issued state.
You can do that.
That's what's nice about magstripe.
Found a flaw in the handling rules.
The collected state found in the current life cycle
overrides all other states.
It overrides even concurrency.
So objects are always seen as recently collected.
You can run that original ticket.
And then all the copies immediately become valid.
Honestly, I think they were worried about
someone going through the turnstile,
handing it back to a friend.
They had been using that same ticket to go in.
And that's honestly all I think they were concerned about.
Unfortunately, that didn't work.
Not quite a demonstration, but just a visualization
of how this is working.
So typically, you got the original in use there.
Someone tries to use one of those copies.
It follows those rules.
When we saw it before, it was in used state.
It's now currently in the issued state.
It violates the rules.
And you can't use it.
Any of the copies you try to use.
However, if you let it pass through all the way,
it blocks any concurrent use of the ticket.
So if you've got three other friends,
four other friends using this ticket,
it doesn't really know it.
All it does is see if previously it's collected.
Last one.
Now it sees it in the issued state.
And so it sees it in isolation, really.
And then allows that to pass through.
And that's the same for any of them.
They're all seeing the same thing.
They're seeing it in isolation at that point.
It just sees the previous state for where the object is collected.
It's now in the issued.
You've got it.
And you can just then walk in.
It's not complicated.
It's not like a really technical hack.
It's just you just learn how the system works.
You learn the state machine,
and then you learn ways to abuse it,
ways to manipulate it.
So you can abuse it.
Of course, you've got to prove it.
We're going to have some data to show exactly what's going on.
And in fact, that is what is happening.
So you have three single journey tickets there.
You can see that the price is the same.
The station is the same.
You have the dispenser.
And you can see that it's basically the same instance of the object.
So the same ticket.
The original and copies.
And you can see that it's been used three separate times.
It's the same station, different turn styles,
and different arrivals there.
So you've got different GUIDs for that entry.
So you use it three times.
And it's the same thing with the lower one here,
which is the all-day pass.
Basically got the same ticket, the same object.
And you're going ahead and using it two separate times.
Different stations, different turn styles,
and obviously different usage based on the different GUIDs there.
Okay.
Ah, yes.
The demo.
So we're going to go ahead and show you me using one of my counterfeit tickets.
Yes, it's mostly my feet.
Saaz said that he could tell it was me by my sandals.
I'm glad he didn't say he could tell it was me because of my feet.
That would have been weird.
A lot of my sandals there.
But what I wanted to capture, I was still very paranoid,
was the fact that I was using a counterfeit ticket.
I was exiting the station using a counterfeit ticket.
You know, accepted it.
It let me out.
Mainly, you know, it let me out, right?
So, yes, simple hack.
Just understanding that system.
Learning how it works.
And then manipulating it.
Right?
Now, that's an exploit.
Very simple.
Let's turn that into an attack.
All right?
To do that, you're going to have to have tickets.
Lots of them, right?
And a plan.
You got to find some cards.
And you have to punch some holes.
All right.
So the cards.
You can't go, as I said, you can't go to the store.
You can't order from a catalog.
Ah, Alibaba.
Thank you again.
I love Alibaba.
So I put RFP on Alibaba.
I got lots of samples.
I ran some trials.
And finally, after a very long time, found a winning bid.
All right?
So there's thousands of companies.
I'm just, of course, guessing.
Probably millions.
And you just tell them what you want.
Anything at all.
And they'll make it for you.
All right?
I had many, many offers.
All failed at one company.
Most of them said you couldn't do it.
Can't be done.
Those that said you could, they'd send me a sample.
It was too thick.
You had some Vernier calipers.
Too thick.
One finally said, yes, we can.
And they actually did.
Okay?
All right.
Took many months to find them.
Many, many months.
And lots of difficult conversations via e-mail.
There is our winning bid.
See there?
The two mag stripes.
It is very thin.
I was concerned about it jamming.
I didn't need attention.
I was probably overdoing it with my precautions as far as running the ticket through.
But if it got jammed, yeah.
There was no way I was going to escape attention if that thing got jammed.
So I was very concerned about that thickness.
So we have that thickness there.
And then the hole.
This is what I used to punch the holes.
I went out back.
That's a construction refuge.
Construction waste.
And so I just grabbed what looked like a piece of a pallet.
A chunk of a pallet.
A rusty, yes, a very rusty pipe.
I had to clean that sucker off.
And I got these concrete.
I was in Cambodia.
I had no way.
It was crazy.
It took me a very long time to find those concrete nails.
Because I travel quite a bit.
But I did find some concrete nails for that.
And so I would just sit there in my room and just pound.
And get another one and then pound.
And, yeah, go at it and just create a bunch of those things.
So our plan.
We're going to buy a daily pass.
We're going to copy that daily pass to lots of other tickets.
These counterfeit tickets.
We're going to use that original.
They're going to hand out those copies to a couple of your friends.
Have some fun.
And you can do that every day.
Every single day.
And you can use them all at the same time.
It has no problem with it.
But, I mean, yes, it's fun.
It's a fun thing to do.
But it's something that could end up being much, much bigger.
You've got a lot of people writing to BTS.
So you could start with that one daily pass that you have.
It's 140 baht or $3.
Spend 50 cents to buy some blanks for your friends.
So that's $3.50.
Loss to the company, $22.58.
I think it probably does not include the original $3 purchase.
Eh, you know, then I'm going to notice.
But let's say you want to escalate a little bit there.
So you spend your $3 to get your all-day pass.
And then maybe instead you get, you know, $1,000.
It's $100.
So it's $103 to do $4,516 worth of damage.
If you use all-day pass, and of course you want to use an all-day pass,
you get to keep those.
They don't get captured by the turnstile.
They come out.
So every subsequent day, your tech is costing you $3.
So $3 to do $4,516 worth of damage.
And you're going to keep doing this.
Let's say you're a devious guy.
You're not doing this for a lot of fun.
I think at $1,000 you're not doing this for fun anymore.
You're doing this for a month.
You know, $137,000.
Six months, $824,000.
One year, five years.
$8,241,000 worth of damage.
You could make something out of this.
You could, you know, I don't know their budgets,
but you could slowly bleed them to death.
Missing funds.
Not having necessarily the money to do the repairs they need to do.
To do upgrades that they need to do.
If you're talking about making that network unreliable,
you're undermining that transport system.
That's $1,000.
If you wanted to do a little bit more, if you wanted to spend more time,
you could spend, you know, a nation state could,
could certainly ramp it up a little bit more than that.
And with $1,000 or $2,000 in these tickets,
you could probably escape notice.
Right?
I guess it really depends on how they're eyeballs on.
But it's not just something that's fun.
It's something that could do a lot of damage to an organization over time.
So yeah, we can extend that attack.
We can do more to them than just that one quick ride through the system.
So the implications for the BTS.
Millions of dollars in losses, obviously, over time.
More important to the Thais, loss of face.
Public embarrassment.
It's much more important to them.
So what was the response from the BTS?
And maybe I'm asking for trouble.
Maybe I'll be stopped in immigration when I get back.
We'll find out.
You know, I was not in the right social circles.
I didn't have the status necessary, unfortunately, to be acknowledged.
I'm not passing judgment.
That's just the rules of the game.
So they didn't recognize me.
They didn't return email, phone calls.
I tried multiple times.
Different people, different parts of the organization.
So some lessons for us, obviously, and lessons for them.
There is no hardware-only solution.
I don't think there has been for a very long time.
The most common way of realizing that is you talk about the firmware attacks, right?
Lots of firmware attacks.
There's software in there.
Solutions are complex.
And there is software in there and logic flaws as well, right?
Also, trusting assumptions can be dangerous.
I think that's something you can stick at the end of every single talk here, not to trust your assumptions.
Don't be afraid where the research might lead you.
You know, measure your risk wisely.
And if you think about this, I was not worried about breaking a law before proceeding.
I was thinking over and over again what could go wrong, and, of course, I was including the people.
In fact, it was primarily the people.
I wasn't worried about breaking anything.
I was worried about their reaction.
It was a junta.
They have guns.
Right?
The BTS?
This is probably a harder thing to learn, right?
Don't let social conventions blind you.
you. I think this is all about, you know, learning to break free of that. Not everyone thinks like
you, all right? There are Guailó running around. There are Farang. There are various different types
of people that think differently than you. Some are here to help, like me. Others are not. Others
might be looking to do you some harm, so it's important that you talk to them, even if it's
just an assistant, all right? If you're worried about wasting a lot of time, don't. You ask them
to show you something, all right? If you do that, you're not going to be spending a lot of time with
people, all right? And the time you do spend will be well worth it. And, of course, the ever-popular
cover it up later. Once again, not passing judgment. There are different ways to handle
situations. I would not choose to handle it that way. I suspect they would, but they can.
And they can always, they could have talked to me,
you know, said,
hey, don't talk about this. Okay, I won't. You can always cover it up later. Seriously. I say it
with all sincerity. So avoiding their fate. You want to test all layers, all layers of a solution.
Testing for application issues or system responses. And, of course, checking your
assumptions. And that is what the yearly pen test is for. Many companies are either not doing a pen
test.
Or it's just a check box. And they aren't really concerned about who's doing it or why. They just want a good score.
All right? They need to pay more attention to these things. They need to actually have these pen tests.
They need to make sure it's done by someone who knows what they're doing. All right? Because I'll tell you, if
they were doing some of these things, this wouldn't happen. Doing things like compensating and
mitigating controls. They're monitoring the use of that system. I was doing this over two years, man.
Two years. Because I would do this part-time. I'd be in Bangkok and I would just run down to the BTS station.
So two years. And they apparently didn't notice anything because nothing was fixed. And I was never, of course,
grabbed by anybody. All right. So what are they doing now? They're on to second generation. Everything's NFC now.
I presume the issues are still there. A little harder to get to.
But I suspect that's possible. You know, we are seeing attacks against NFC. There's also other types of attacks you can do and move
laterally to get that key in order to crack the NFC card and get access to that key to basically do the same attack again.
Because you can read the ticket. You can make another one on your own. And you can do the same attack. And, of course,
there are still no channels for sharing. I did check the website. There's no contact us for this. There's no contact us for that. Knowing the wrong
people, I suppose. And definitely ignore me. So ignore me. So final thoughts. Transit systems are fun. But they can also get you
into trouble. I believe that first talk, anatomy of a subway hack, they were prepared to give that talk. But I think they were
threatened with legal action. So they didn't end up giving the talk. The slides got out. That's why we know about the details. But, yeah, they
could not do that talk. So these kind of talks can get you into trouble. But you don't know until you try. You've got to give it a try.
Reverse engineering is key. I think that's what exploitation really is about is doing some reverse engineering, understanding how the
system, how its software works. You know, so you can exploit it, of course. And then you've got to have some balls. You know, you
have to go out there. You have to know that something may happen. That's fine. Just be prepared.
Don't believe, you know, a lot of the assurances. They're always giving you assurances about how safe a system is. Look to see
yourself. And I hate to say this as a network guy. I never did want to do AppSec. I just got forced to do AppSec. But, yeah, AppSec
was the win here. Just understanding that system. Nothing too complicated. Some links. If you want to learn more about
those other talks. Different companies involved. Equipment. Follow in the footsteps there. The people who made that card for
me. And, of course, the BTS. That's it. Thanks, everybody.
